Set the SECRET_KEY default value back to "---"

Previously, I had changed the default value to "", to force
users to set the SECRET_KEY value (the app refuses to start
if SECRET_KEY is empty).

The problem with that is, out of the box, with the default
configuration, the tests also don't run and complain about the
empty SECRET_KEY.

So, a compromise: revert back to the default value "---".
At runtime, if SECRET_KEY has the default value, show a  warning
at the top of every page.

docker/.env

@@ -38,7 +38,7 @@ PUSHOVER_SUBSCRIPTION_URL=
 REGISTRATION_OPEN=True
 REMOTE_USER_HEADER=
 RP_ID=
-SECRET_KEY=
+SECRET_KEY=---
 SHELL_ENABLED=False
 SIGNAL_CLI_ENABLED=False
 SITE_NAME=Mychecks

hc/front/templatetags/hc_extras.py

@@ -70,6 +70,15 @@ def debug_warning():
         """
         )
 
+    if settings.SECRET_KEY == "---":
+        return mark_safe(
+            """
+            <div id="debug-warning">
+            Running with an insecure SECRET_KEY value, do not use in production.
+            </div>
+        """
+        )
+
     return ""
 
 

hc/front/tests/test_basics.py

@@ -3,15 +3,22 @@ from django.test.utils import override_settings
 
 
 class BasicsTestCase(TestCase):
+    @override_settings(DEBUG=False, SECRET_KEY="abc")
     def test_it_shows_welcome(self):
         r = self.client.get("/")
         self.assertContains(r, "Get Notified", status_code=200)
         self.assertNotContains(r, "do not use in production")
 
-    @override_settings(DEBUG=True)
+    @override_settings(DEBUG=True, SECRET_KEY="abc")
     def test_it_shows_debug_warning(self):
         r = self.client.get("/")
-        self.assertContains(r, "do not use in production")
+        self.assertContains(r, "Running in debug mode")
+
+    @override_settings(DEBUG=False, SECRET_KEY="---")
+    def test_it_shows_secret_key_warning(self):
+        r = self.client.get("/")
+        self.assertContains(r, "Get Notified", status_code=200)
+        self.assertContains(r, "Running with an insecure SECRET_KEY value")
 
     @override_settings(REGISTRATION_OPEN=False)
     def test_it_obeys_registration_open(self):

hc/settings.py

@@ -26,7 +26,7 @@ def envint(s, default):
     return int(v)
 
 
-SECRET_KEY = os.getenv("SECRET_KEY", "")
+SECRET_KEY = os.getenv("SECRET_KEY", "---")
 METRICS_KEY = os.getenv("METRICS_KEY")
 DEBUG = envbool("DEBUG", "True")
 ALLOWED_HOSTS = os.getenv("ALLOWED_HOSTS", "*").split(",")

templates/docs/self_hosted_configuration.html

@@ -230,8 +230,9 @@ if your site runs on <code>https://my-hc.example.org</code>, set <code>RP_ID</co
 locally with a self-signed certificate, you can use the <code>runsslserver</code> command
 from the <code>django-sslserver</code> package.</p>
 <h2 id="SECRET_KEY"><code>SECRET_KEY</code></h2>
-<p>Default: <code>""</code> (empty string)</p>
+<p>Default: <code>---</code></p>
-<p>A secret key used for cryptographic signing.</p>
+<p>A secret key used for cryptographic signing, and should be set to a unique,
+unpredictable value.</p>
 <p>This is a standard Django setting, read more in
 <a href="https://docs.djangoproject.com/en/3.1/ref/settings/#secret-key">Django documentation</a>.</p>
 <h2 id="SHELL_ENABLED"><code>SHELL_ENABLED</code></h2>

templates/docs/self_hosted_configuration.md

@@ -370,9 +370,10 @@ from the `django-sslserver` package.
 
 ## `SECRET_KEY` {: #SECRET_KEY }
 
-Default: `""` (empty string)
+Default: `---`
 
-A secret key used for cryptographic signing.
+A secret key used for cryptographic signing, and should be set to a unique,
+unpredictable value.
 
 This is a standard Django setting, read more in
 [Django documentation](https://docs.djangoproject.com/en/3.1/ref/settings/#secret-key).